What we collect and what we don't.
This Privacy Policy describes how Settlement Truth ("Settlement Truth," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use the website at settlementtruth.com, the Settlement Truth iOS application, the admin console, and all related services (together, the "Service"). We collect as little personal information as practical, we never sell or rent it, and we never share it with advertising networks, lead-generation services, or law firms. This Policy is incorporated into and forms part of our Terms of Service.
1. Scope and Updates
This Policy applies to all visitors and account holders of the Service. It does not cover websites or services operated by third parties to which we may link. We may update this Policy from time to time; the date at the top reflects the most recent revision. Material changes will be communicated to account holders by email and via in-app notice; continued use of the Service after the effective date constitutes acceptance of the updated Policy.
2. Information You Provide to Us
Account information: email address, a salted bcrypt hash of your password (we never see or store the password in plaintext), and an optional display name. Submission content: the data fields and narrative text you submit through the case-intake form, including location (state and city), accident year and type, vehicles involved, the other party's insurer (selected from a closed list), policy limit information, injury severity, treatment-duration information, settlement figures (gross, attorney fees, medical liens, health-insurance lien, other costs, net to client), and the narrative paragraph. Display preferences: anonymous, first-name-only, or full attribution. Profile preferences: journalist-contact opt-in (default off). Communications you initiate: when you contact us via the in-app contact form or by email, we receive the contents and the email address you used.
3. Information Collected Automatically
When you access the Service, we automatically collect technical data necessary to operate, secure, and debug the Service: your IP address, the User-Agent string of your browser or app, the timestamp of each request, the URL and HTTP status of each interaction, and similar request-level metadata. This data is logged in our server-side application logs and on the operating-system level of the cloud infrastructure that hosts the Service. We use it to rate-limit abuse, troubleshoot errors, and detect security incidents. We do NOT use third-party analytics, advertising pixels, fingerprinting libraries, A/B-testing services, session-replay tools, or any other behavioral-tracking technology. The Service has no marketing tracker of any kind.
4. Cookies and Similar Technologies
The web application uses a single first-party authentication cookie named "st_auth." It is HTTP-only (not readable by JavaScript), Secure (transmitted only over HTTPS in production), SameSite=Lax (not sent in cross-site requests), and signed by us. Its sole purpose is to keep you signed in. We do not use third-party cookies, advertising cookies, retargeting pixels, or similar mechanisms. The iOS application does not use HTTP cookies at all; instead, your authentication token is stored in the iOS Keychain (a hardware-backed secure store managed by the operating system).
5. iOS Application Specifics
(a) Authentication token: stored in the iOS Keychain; cleared on sign-out and on app uninstall. (b) Push notifications: opt-in. If you grant permission, the Apple Push Notification Service provides us a device token (an opaque identifier specific to your installation of the app on your device) which we store linked to your user account. We use it solely to deliver transactional notifications about your own submissions (e.g., "your case was published," "your case was rejected"). You may revoke push permission at any time in iOS Settings; you may also request deletion of your stored device token by emailing privacy@settlementtruth.com. (c) Tracking: the iOS app does not use the iOS Advertising Identifier (IDFA), does not call ATTrackingManager, and does not contain any analytics or tracking SDK. (d) On-device caches: the app caches recently fetched stories and aggregate statistics on disk so the app works offline; this cache is local-only and never transmitted off the device.
6. How We Use Personal Information
We use personal information only for the following purposes: (a) operate your account, including authentication, password reset, and email verification; (b) review and moderate your submissions; (c) publish moderated submissions according to the display mode you selected; (d) compute aggregate statistics from published submissions; (e) send transactional email related to your account (verification, password reset, moderation outcomes, journalist-relay messages, security notices); (f) deliver push notifications you have opted into; (g) prevent fraud, abuse, and security incidents; (h) comply with legal obligations and enforce our Terms; (i) analyze and improve the Service in aggregate, de-identified form. We do NOT use personal information to send you marketing messages, run advertising campaigns, train third-party AI models, or for any purpose unrelated to operating the Service.
7. Legal Bases for Processing (EEA/UK Users)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar privacy laws, our legal bases for processing your personal information are: (a) performance of the contract you enter into with us (these Terms) for account-operation and submission-publication processing; (b) your consent for optional features such as push notifications and journalist-contact opt-in (you may withdraw consent at any time); (c) our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your fundamental rights; (d) compliance with legal obligations.
8. What We Publish Publicly
Published submissions display the data fields you submitted, formatted on a public case page, in accordance with the display mode you selected. The default display mode is anonymous — no name, no display name, no identifying detail beyond the city/state/year level. Your email address is never published, regardless of display mode. Aggregate statistics (medians, rankings, share-of-zero-net, treatment-month buckets, etc.) are computed from the union of all published submissions and are presented in a way that does not identify any individual submitter; we do not surface aggregates below our minimum-sample threshold, and small-cell suppression is applied where re-identification risk would otherwise emerge.
9. Disclosures to Third Parties
We disclose personal information only to: (a) Service providers strictly necessary for operation: our cloud-hosting provider (currently Amazon Web Services, U.S.-East region) for server-side data and logs; Resend for transactional email delivery (Resend stores the email content for deliverability reporting on its servers); Apple Inc. for delivery of push notifications via APNs. Each provider is contractually obligated to protect personal information and to use it only for the purposes for which we engage them. (b) Legal recipients when required by law: a court of competent jurisdiction, a valid subpoena, search warrant, or other lawful process; or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Settlement Truth, our users, or the public. We will, where lawfully permitted, attempt to notify the affected user before responding to legal process. (c) Successor entity in connection with a corporate event: if we are involved in a merger, acquisition, asset sale, financing, or insolvency, your information may be transferred to the successor; the successor will be bound by this Policy. We do NOT disclose personal information to: advertising networks, data brokers, list brokers, lead-generation services, marketing agencies, law firms, attorney-referral services, insurance companies, or any party for any commercial purpose unrelated to operating the Service. We do NOT "sell" personal information as that term is defined under the California Consumer Privacy Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, or any analogous state law. We do NOT "share" personal information for cross-context behavioral advertising as that term is defined under the CPRA.
10. Government and Law-Enforcement Requests
Settlement Truth requires a valid legal process — a subpoena, court order, or search warrant issued by a court of competent jurisdiction in the United States — before disclosing user information to law enforcement. Voluntary disclosure is reserved for cases of imminent threat to life or safety. We publish no transparency report at this time but will do so if and when annual request volume warrants. Where lawfully permitted, we will notify the affected user before disclosure.
11. Data Retention
Account data is retained for as long as your account is active. If you delete your account: (a) personally identifying information (email address, display name, password hash, device tokens, journalist-relay records) is deleted from active systems within thirty (30) days; (b) submission content may be retained in the aggregated, de-identified dataset that powers public statistics, unless you specifically request full deletion, which we will honor; (c) backups containing personal information are retained for up to ninety (90) days and then overwritten as part of normal backup rotation; (d) records required by law (e.g., financial records for tax purposes, security-incident records) are retained for the period required and then deleted. Server-side request logs are retained for ninety (90) days and then deleted.
12. Security Measures
We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, and destruction, including: TLS encryption in transit for all client-server traffic; HTTP Strict Transport Security with a one-year max-age; bcrypt password hashing at cost factor 12; httpOnly + Secure + SameSite=Lax authentication cookies; iOS Keychain storage for the mobile auth token; firewall rules limiting inbound network access to required ports only; database access restricted to localhost; principle-of-least-privilege role-based access controls for the application's database role; pre-publication moderation of all user-submitted content for PII leaks. No system is perfectly secure, and we cannot guarantee absolute security. In the event of a breach affecting your personal information, we will notify you in accordance with applicable law.
13. International Data Transfers
Settlement Truth is operated from the United States. The Service's servers, databases, and backups are located in the United States. If you access the Service from outside the United States, your personal information will be transferred to, processed in, and stored in the United States, where data-protection laws may differ from those of your country. By using the Service you consent to this transfer. Where such transfers are subject to specific legal requirements (e.g., for EEA/UK users), we rely on appropriate transfer mechanisms such as Standard Contractual Clauses where applicable.
14. Your Rights — Universal
Regardless of where you reside, you may at any time: (a) view your account information and your submitted cases through your account settings; (b) edit any submission, which re-enters moderation; (c) unpublish or republish your submissions; (d) update your email, display name, password, and journalist-contact preference; (e) export your account and submission data — email privacy@settlementtruth.com to request a machine-readable export; (f) delete your account and request deletion of personal information. To exercise any of these rights, use the in-app controls or email privacy@settlementtruth.com.
15. Your Rights — California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you the following rights, which we honor for all users regardless of state of residence: (a) Right to know — the categories and specific pieces of personal information we have collected, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom we share it (see Sections 2, 3, 6, and 9 above for the standing answer; you may also email privacy@settlementtruth.com for a request specific to your account). (b) Right to correct inaccurate personal information. (c) Right to delete personal information we have collected from you (subject to legal exceptions). (d) Right to data portability — to receive a copy of personal information you provided in a portable, machine-readable format. (e) Right to limit use of sensitive personal information — Settlement Truth does not collect sensitive personal information as defined by the CCPA. (f) Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised a CCPA right. (g) Right to opt out of "sale" or "sharing" — Settlement Truth does not sell or share (in the cross-context-behavioral-advertising sense) personal information; there is nothing to opt out of, but you may submit a verifiable opt-out request anyway by emailing privacy@settlementtruth.com or, on the web, by visiting your Account settings. We treat Global Privacy Control (GPC) signals as a valid opt-out request. To exercise any CCPA right, email privacy@settlementtruth.com from the email address on your account or follow the in-app verification flow. We will respond within forty-five (45) days, with one possible extension of forty-five (45) days as permitted by law. Authorized agents may submit requests on your behalf with a written authorization.
16. Your Rights — Other U.S. State Privacy Laws
Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive consumer-privacy statutes have rights that include access, correction, deletion, portability, and opt-out of targeted advertising, the sale of personal data, and certain forms of profiling. Settlement Truth does not engage in targeted advertising or in the sale of personal data, and does not engage in automated profiling that produces legal or similarly significant effects. We honor all access, correction, deletion, and portability requests for residents of any U.S. state regardless of whether their state has enacted a comprehensive privacy law. Submit requests to privacy@settlementtruth.com.
17. Your Rights — EEA, UK, and Switzerland (GDPR)
Subject to the General Data Protection Regulation and analogous laws, you have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent for consent-based processing. You also have the right to lodge a complaint with your national data-protection authority. Submit requests to privacy@settlementtruth.com; we will respond within thirty (30) days.
18. Children's Privacy
The Service is not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under thirteen. Account creation requires that you be at least eighteen (18). If we become aware that we have collected personal information from a child under thirteen without parental consent, we will delete that information promptly. Parents or guardians who believe a child has provided personal information should contact privacy@settlementtruth.com.
19. Do Not Track and Global Privacy Control
The Service does not use third-party tracking technologies, so traditional "Do Not Track" signals are not relevant. We do, however, recognize the Global Privacy Control (GPC) browser-level signal as a valid request to opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising — an activity in which Settlement Truth does not engage in any case. No personal information leaves your device for an advertising or analytics network as a result of your use of the Service.
20. Email Communications
We send only transactional email — verification, password-reset codes, moderation outcomes for your submissions, journalist-relay messages, security notices, and material changes to these policies. We do not run a marketing list. There is no commercial-email opt-out because there is no commercial email; transactional email is necessary to provide the Service and may not be opted out of as long as you maintain an account. If you delete your account, transactional email ceases.
21. Data-Breach Notification
In the event we determine that a security incident has resulted in unauthorized access to or disclosure of personal information that triggers any applicable notification requirement (e.g., state breach-notification laws, GDPR Article 33-34), we will notify affected users without undue delay and provide the information required by law. We may delay notification if and only as long as a law-enforcement agency determines that immediate notification would impede investigation.
22. Anti-AI-Training and Anti-Scraping Posture
Settlement Truth does not authorize the use of personal information collected through the Service to train large language models, generative AI systems, or any third-party AI product. Bulk scraping, mass crawling, and systematic harvesting of the Service are prohibited under our Terms of Service and may be prosecuted under the Computer Fraud and Abuse Act and analogous state laws.
23. Account Deletion Procedure
To permanently delete your account: sign in, navigate to Account → Settings, and select "Delete account"; or email privacy@settlementtruth.com from the address on file. Deletion is permanent. We will delete personally identifying information from active systems within thirty (30) days, with backups overwriting personal information within ninety (90) days. Aggregated, de-identified statistics derived from your submissions before deletion may persist in the public dataset; if you specifically request that your individual submission content be excluded from the aggregate dataset as well, we will honor that request.
24. Contact and Data-Protection Inquiries
Privacy and data-rights requests: privacy@settlementtruth.com. Security: security@settlementtruth.com. General: contact@settlementtruth.com. Press: press@settlementtruth.com. Legal/DMCA: legal@settlementtruth.com / dmca@settlementtruth.com. We respond to verified privacy requests within the timeframe applicable under your jurisdiction's law (and within forty-five days otherwise). For EEA/UK users, you may also lodge a complaint with your national data-protection authority. Settlement Truth has no formal Data Protection Officer at this time but will appoint one if and when activity volume so requires.